SENTINEL INTELLIGENCE PROTOCOL  ·  TLP:WHITE  ·  AUTHORIZED DISTRIBUTION ONLY

BREAKING
CRITICAL · CVE-2025-7731 actively exploited in Fortinet FortiGate — CISA Emergency Directive 25-04 issued — patch immediatelyAPT28 attributed to coordinated attacks on European energy grid infrastructure — NATO cyber alliance emergency session convenedNew Windows CLFS kernel zero-day exploited in targeted campaigns against defense contractors — patch in KB5040528FBI: $4.73B lost to cybercrime in FY2024 — ransomware primary vector for critical infrastructure attacks for third consecutive yearJoint FBI-Europol operation dismantles 403,000-node HYDRUS botnet across 47 countries — three arrests confirmedCloudflare reports 412% surge in DDoS amplification attacks targeting financial services sector Q1 2025Salt Typhoon remains active in U.S. telecommunications networks — Senate Intelligence Committee briefed on scopeCRITICAL · CVE-2025-7731 actively exploited in Fortinet FortiGate — CISA Emergency Directive 25-04 issued — patch immediatelyAPT28 attributed to coordinated attacks on European energy grid infrastructure — NATO cyber alliance emergency session convenedNew Windows CLFS kernel zero-day exploited in targeted campaigns against defense contractors — patch in KB5040528FBI: $4.73B lost to cybercrime in FY2024 — ransomware primary vector for critical infrastructure attacks for third consecutive yearJoint FBI-Europol operation dismantles 403,000-node HYDRUS botnet across 47 countries — three arrests confirmedCloudflare reports 412% surge in DDoS amplification attacks targeting financial services sector Q1 2025Salt Typhoon remains active in U.S. telecommunications networks — Senate Intelligence Committee briefed on scope
HOME/LAW ENFORCEMENT/Operation NEXUS DRAIN: Joint Task Force Dismantles
LAW ENFORCEMENT · BOTNETS · DDOS·MEDIUM

Operation NEXUS DRAIN: Joint Task Force Dismantles 403,000-Node Botnet Infrastructure

A coordinated takedown operation involving the FBI, Europol, and law enforcement agencies from 19 countries has disrupted a massive botnet used to conduct DDoS attacks, credential stuffing campaigns, and proxy-as-a-service operations.

BYSentinel Staff
2025-06-04
5 MIN READ
VERIFIED INTELLIGENCE

Operation Summary

The U.S. Department of Justice announced on June 4, 2025 the successful conclusion of Operation NEXUS DRAIN, a 14-month joint law enforcement operation that resulted in the seizure of the command-and-control infrastructure for a botnet composed of approximately 403,000 compromised devices across 47 countries.

The operation resulted in the arrest of three individuals in Ukraine and Romania, the seizure of 89 servers across 12 jurisdictions, and the disruption of an operation that generated an estimated $31M in annual revenue through DDoS-for-hire and residential proxy services.

Botnet Characteristics

The botnet, internally referred to by operators as "HYDRUS," primarily targeted consumer-grade routers and network-attached storage devices through exploitation of known vulnerabilities in popular firmware versions. Approximately 67% of compromised devices were located in the United States, Germany, Brazil, and India.

Key operational capabilities included:

  • DDoS-as-a-service: Capable of generating attacks in excess of 3.2 Tbps; confirmed attacks against financial institutions, gaming platforms, and at least one critical infrastructure provider
  • Residential proxy service: Approximately 180,000 nodes actively used to route malicious traffic through residential IP addresses, enabling credential stuffing and fraud operations
  • Cryptomining: A subset of approximately 45,000 high-CPU-capacity nodes covertly enrolled in Monero mining pools

Legal Actions

Three individuals have been arrested:

  • Mikhail V., 31, Kyiv, Ukraine — alleged operator and developer of the botnet management platform
  • Constantin B., 27, Bucharest, Romania — alleged operator of the DDoS-for-hire storefront
  • An unnamed minor in Germany — alleged to have operated a significant node cluster

The DOJ has unsealed an indictment in the Eastern District of Virginia charging the two adults with conspiracy to commit computer fraud, wire fraud, and unauthorized computer access.

Device Remediation

The FBI has issued a public notification to internet service providers with lists of affected IP addresses, enabling ISPs to notify customers of potential device compromise. Affected device owners should perform a factory reset and apply the latest firmware from the device manufacturer's official website.

Affected router models include various versions of TP-Link Archer, ASUS RT-series, Netgear Nighthawk, and Synology DiskStation NAS appliances running unpatched firmware.

LAW ENFORCEMENTBOTNETSDDOS
← RETURN TO INTELLIGENCE FEED